95% of cyber security breaches are due to human error, which in
reality means it could be any user, at any time. The best bit? They
probably won't even know they're doing something wrong, but
they have inadvertently just become an unintentional insider threat. As
Andy Pearch, Head of IA Services, CORVID, explains, organisations need
to stop playing the blame game and pointing fingers at users when the
system is compromised and instead ensure they have the right technology
in place to take back control of their security defences.

Unintentional insider threats.

A person becomes an unintentional insider threat when they
unwittingly allow a cyber attacker to achieve their goal--whether
that's a breach of systems or information, or diverting payments to
a criminal's account. This can be through negligence or lack of
knowledge, but can also be a result of just doing an everyday job.

Unintentional insider threats are particularly dangerous because
the traditional methods of identifying insider threats don't
work--they don't try to hide emails or files, because as far as
they're aware, they're not doing anything wrong. If an
attacker presents themselves as a legitimate person with the right
credentials to request a change, the unsuspecting employee will probably
respond exactly as the attacker was hoping.

Trusted employees have access to company-sensitive information,
assets, and intellectual property, and permission to make financial
transactions--often without requiring any further approval. Threat
actors target these privileged, trusted people--impersonating suppliers,
regulators, and known colleagues--and try to encourage them to do
something they have permission to do, but shouldn't.

Removing reliance on users.

Email allows threat actors to communicate with users with almost no
defensive barriers between them. Even the most diligent employee gets
distracted, rushed, or slightly too tired, which is all it takes for a
malicious email to achieve its objective--whether that's clicking a
link, opening an attachment, or trusting the email's source enough
to reply. Employees don't expect to be attacked in a safe office
environment but threat actors prey on this perceived safety to catch
them off guard and socially engineer them into doing something they
shouldn't.

Many people think they know what a spam email looks like, but 97%
of people are unable to identify a sophisticated phishing email. This is
hardly surprising when considering there are, comparatively, so few
highly-convincing fake emails; because they aren't seen every day,
employees aren't always looking out for them. Then there are some
methods of impersonation that organisations can't realistically be
expected to detect--for example, spotting the difference between a I, I,
and I (I, L, and i, respectively). Attackers know that employees
aren't meticulously scanning every email for tiny details like
this, so they take advantage. If an organisation's email security
currently relies on users correctly identifying malicious emails 100% of
the time, quite simply, their defences are going to succumb to attack.

Preventing the unintended.

Research shows that 90% of organisations feel vulnerable to insider
attacks, so now is the time for change. Monitoring normal access and
behaviour patterns can give early warning signs of potential
intentionally malicious activity, but the same can't be said for
unintentional insider threats. The attacker's request could be
comfortably within the scope of an employee's daily duties.

The information available to users is often insufficient for them
to determine whether an email is legitimate. As such, they should be
suspicious and challenge requests, especially if they're unexpected
or urgent. Checks should also be put in place for a second pair of eyes
to confirm certain requests before any action is taken, for example,
changing payment details or making unscheduled wire transfers. If the
request is for a financial transaction or asks for sensitive or personal
information, phone the person who made the request (or better still,
speak to them face-to-face) to confirm it's genuine.

There is only so much humans can do. By having technology in place
that alerts users to potentially malicious content and enables them to
make an informed decision about an email's nature and legitimacy
before acting on it, organisations can take back control of their
security defences instead of playing the blame game and pointing fingers
at users when the system is compromised.

www.corvid.co.uk

Andy Pearch, Head of IA Services, CORVID.

COPYRIGHT 2019 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.